Government, industry debate the value of Common Criteria

By William Jackson

Sep 18, 2003

The Common Criteria for security software evaluation are not a panacea for assuring government IT systems, government and industry officials told a House panel Wednesday.

Most witnesses agreed Common Criteria are a valuable tool, but "evaluation does not guarantee security," said Robert G. Gorrie, deputy director for the Defense Department's Defense-wide Information Assurance Program.

Most witnesses stopped short of calling for a governmentwide requirement to use software evaluated under the program. Its application should be decided on a case-by-case basis, they said.

The Common Criteria are standards for evaluating security software against vendor claims or user requirements. Evaluation is done by approved private laboratories and are recognized by 14 nations. The program is overseen in the United States by the National Information Assurance Partnership, a collaboration between the National Institute of Standards and Technology and the National Security Agency.

Common Criteria certification for security products is required by the Defense Department, and on national security systems elsewhere in government.

Gorrie said DOD is working with the Homeland Security Department to determine whether Common Criteria certification should be more widely required. The House Government Reform Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census held hearings to consider whether similar certifications should be required for all government software purchases.

Witnesses explained the limitations of the scheme.

"It is not a measure of how much protection the claimed security specification provides, nor does it guarantee that the product is free from malicious or erroneous code," said Edward Roback, chief of NIST's Computer Science Division.

Certification means a product does what the vendor says it will do, and does not do anything unintended. That does not mean that it necessarily will do what the user needs it to do or that it will resist malicious attacks. Eugene Spafford, director of Purdue University's Center for Education and Research in Information Assurance and Security, pointed out that Microsoft's Windows 2000 operating systems has received Common Criteria evaluation, but has repeatedly proved vulnerable to worms. Microsoft has issued more than 100 patches to correct security problems in the operating system.

Spafford called the criteria a tool of "great value," but added that certification "certainly does not guarantee that what you have is safe."

Nobody said the Common Criteria are perfect, but opinions of just how valuable it is vary greatly depending on the size of the company faced with an evaluation process that can cost millions of dollars and take years to complete.

"The current evaluation process is extremely slow and bureaucratic," said Chris Klaus, chief technology officer of Internet Security Systems Inc., a small Atlanta-based company. "By the time a product is certified, it is out of date."

He called the cost "extremely burdensome," and said certification does not accurately predict the security provided by a product.

"It is not too expensive and does not take too long," she said. "It is cheap compared with the alternative," which is poor quality of software security. The savings from identifying even one software flaw more than pays for the cost of evaluation, she said.

Davidson said Common Criteria evaluation should be more generally required. "I believe it should be extended at least to entities that have a national security function," including the Homeland Security Department.

"I believe on balance it should not be mandatory," Spafford said. There is value to using the criteria where appropriate, but "there are certified products that will not work as required" in some circumstances, and could actually weaken an agency's security.